Skip to content

feat(network): implement ingress network policies #1017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Jan 21, 2025
Merged

feat(network): implement ingress network policies #1017

merged 13 commits into from
Jan 21, 2025

Conversation

@andrewazores
Copy link
Member

@andrewazores andrewazores commented Jan 16, 2025
edited
Loading

Welcome to Cryostat! 👋

Before contributing, make sure you have:

  • Read the contributing guidelines
  • Linked a relevant issue which this PR resolves
  • Linked any other relevant issues, PR's, or documentation, if any
  • Resolved all conflicts, if any
  • Rebased your branch PR on top of the latest upstream main branch
  • Attached at least one of the following labels to the PR: [chore, ci, docs, feat, fix, test]
  • Signed all commits: git commit -S -m "YOUR_COMMIT_MESSAGE"

Fixes: #1008
See #814
See also cryostatio/cryostat-helm#208

Description of the change:

Mirrors the NetworkPolicy implementation for ingress traffic from the Helm PR above.

Motivation for the change:

Adds network-level isolation to various Pods created by the Operator, so that traffic to each is only allowed from expected origins (assuming the cluster supports this feature). This prevents unexpected connections to the database or storage, which could result in data being leaked if authentication is not configured or is somehow bypassed.

How to manually test:

  1. Check out and build PR
  2. Deploy, then create a Cryostat CR with 1 reports replica
  3. Wait for everything to be reconciled
  4. oc describe networkpolicy
  5. See other testing steps in Helm PR, ex. use oc run and try to curl requests to http://cryostat-sample-reports:10000 or http://cryostat-sample-storage:8333.

@andrewazores andrewazores added feat New feature or request safe-to-test labels Jan 16, 2025
@andrewazores
Copy link
Member Author

andrewazores commented Jan 16, 2025

/build_test

@andrewazores
Copy link
Member Author

andrewazores commented Jan 16, 2025

https://github.com/cryostatio/cryostat-operator/actions/runs/12813863402

@github-actions
Copy link

github-actions bot commented Jan 16, 2025

/build_test completed successfully ✅.
View Actions Run.

@andrewazores andrewazores marked this pull request as ready for review January 16, 2025 18:35
@andrewazores andrewazores marked this pull request as draft January 16, 2025 18:35
@andrewazores andrewazores marked this pull request as ready for review January 16, 2025 19:40
@andrewazores
Copy link
Member Author

andrewazores commented Jan 16, 2025

/build_test

@andrewazores andrewazores requested a review from ebaron January 16, 2025 19:40
@github-actions
Copy link

github-actions bot commented Jan 16, 2025

/build_test completed successfully ✅.
View Actions Run.

@andrewazores andrewazores mentioned this pull request Jan 16, 2025
Merged
14 tasks
ebaron
ebaron reviewed Jan 20, 2025
View reviewed changes
internal/controllers/networkpolicy.go
},
Ports: []networkingv1.NetworkPolicyPort{
networkingv1.NetworkPolicyPort{
Port: &intstr.IntOrString{IntVal: constants.AuthProxyHttpContainerPort},
Copy link
Member

@ebaron ebaron Jan 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need a policy for the agent gateway (nginx) port as well? This could theoretically be limited to inbound traffic from the target namespaces of the CR

Copy link
Member Author

@andrewazores andrewazores Jan 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense, I'll add that in

Copy link
Member Author

@andrewazores andrewazores Jan 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened as a separate PR: #1022

@andrewazores andrewazores mentioned this pull request Jan 21, 2025
Merged
7 tasks
ebaron
ebaron approved these changes Jan 21, 2025
View reviewed changes
Copy link
Member

@ebaron ebaron left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems to work well. I added a commit with a couple of changes:

  • Delete the NetworkPolicy object when the disabled property is true
  • Update the NetworkPolicy spec by placing it in the body of the CreateOrUpdate... method

What do you think?

@ebaron
Copy link
Member

ebaron commented Jan 21, 2025

/build_test

@github-actions
Copy link

github-actions bot commented Jan 21, 2025

/build_test completed successfully ✅.
View Actions Run.

@andrewazores
Copy link
Member Author

andrewazores commented Jan 21, 2025

Seems to work well. I added a commit with a couple of changes:

* Delete the NetworkPolicy object when the `disabled` property is true

* Update the NetworkPolicy spec by placing it in the body of the `CreateOrUpdate...` method

What do you think?

Nice, thanks. That looks good.

@andrewazores andrewazores merged commit 193c1a6 into cryostatio:split-deployment Jan 21, 2025
7 checks passed
@andrewazores andrewazores deleted the ingress-policy branch January 21, 2025 21:04
@andrewazores andrewazores mentioned this pull request Jan 22, 2025
Closed
7 tasks
@andrewazores andrewazores mentioned this pull request Feb 12, 2025
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ebaron ebaron ebaron approved these changes

Assignees

No one assigned

Labels

feat New feature or request safe-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andrewazores @ebaron